1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
<def-group>
<definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
{{% if FILEPATH is not string %}}
{{{ oval_metadata("This test makes sure that " + FILEPATH|join(", ") + " is group owned by " + GID_OR_NAME + ".") }}}
<criteria>
{{% for filepath in FILEPATH %}}
<criterion comment="Check file group ownership of {{{ filepath }}}" test_ref="test_file_groupowner{{{ FILEID }}}_{{{ loop.index0 }}}" />
{{% endfor %}}
{{% else %}}
{{{ oval_metadata("This test makes sure that " + FILEPATH + " is group owned by " + GID_OR_NAME + ".") }}}
<criteria>
<criterion comment="Check file group ownership of {{{ FILEPATH }}}" test_ref="test_file_groupowner{{{ FILEID }}}" />
{{% endif %}}
</criteria>
</definition>
{{% for filepath in FILEPATH %}}
<unix:file_test check="all" check_existence="none_exist" comment="Testing group ownership of {{{ filepath }}}" id="test_file_groupowner{{{ FILEID }}}_{{{ loop.index0 }}}" version="1">
<unix:object object_ref="object_file_groupowner{{{ FILEID }}}_{{{ loop.index0 }}}" />
</unix:file_test>
<unix:file_object comment="{{{ filepath }}}" id="object_file_groupowner{{{ FILEID }}}_{{{ loop.index0 }}}" version="1">
{{%- if IS_DIRECTORY -%}}
{{%- if RECURSIVE %}}
<unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
{{%- endif %}}
<unix:path>{{{ filepath[:-1] }}}</unix:path>
{{%- if FILE_REGEX %}}
<unix:filename operation="pattern match">{{{ FILE_REGEX[loop.index0] }}}</unix:filename>
{{%- else %}}
<unix:filename xsi:nil="true" />
{{%- endif %}}
{{%- else %}}
<unix:filepath{{% if FILEPATH_IS_REGEX %}} operation="pattern match"{{% endif %}}>{{{ filepath }}}</unix:filepath>
{{%- endif %}}
<filter action="exclude">symlink_file_groupowner{{{ FILEID }}}_uid_{{{ GID_OR_NAME }}}</filter>
<filter action="exclude">state_file_groupowner{{{ FILEID }}}_gid_{{{ GID_OR_NAME }}}_{{{ loop.index0 }}}</filter>
</unix:file_object>
<unix:file_state id="state_file_groupowner{{{ FILEID }}}_gid_{{{ GID_OR_NAME }}}_{{{ loop.index0 }}}" version="1">
{{%- if GROUP_REPRESENTED_WITH_GID %}}
<unix:group_id datatype="int">{{{ GID_OR_NAME }}}</unix:group_id>
{{%- else %}}
<unix:group_id datatype="int" var_ref="var_dedicated_groupowner{{{ FILEID }}}_uid_{{{ GID_OR_NAME }}}"></unix:group_id>
{{%- endif %}}
</unix:file_state>
{{% endfor %}}
<unix:file_state id="symlink_file_groupowner{{{ FILEID }}}_uid_{{{ GID_OR_NAME }}}" version="1">
<unix:type operation="equals">symbolic link</unix:type>
</unix:file_state>
{{%- if not GROUP_REPRESENTED_WITH_GID %}}
<ind:textfilecontent54_object id="obj_dedicated_groupowner{{{ FILEID }}}_uid_{{{ GID_OR_NAME }}}" version="1" comment="gid of the dedicated {{{ GID_OR_NAME }}} group">
{{%- if product in ["rhcos4","ocp4"] %}}
{{# CoreOS doesn't list all groups in /etc/group - that's probably related to the FS immutability #}}
<ind:filepath>/usr/lib/group</ind:filepath>
{{%- else %}}
<ind:filepath>/etc/group</ind:filepath>
{{%- endif %}}
<ind:pattern operation="pattern match">^{{{ GID_OR_NAME }}}:\w+:(\w+):.*</ind:pattern>
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<!-- variable storing count of all group names - including duplicates -->
<local_variable id="var_dedicated_groupowner{{{ FILEID }}}_uid_{{{ GID_OR_NAME }}}" datatype="int" version="1"
comment="Count of all group names (including duplicates if any)">
<object_component item_field="subexpression" object_ref="obj_dedicated_groupowner{{{ FILEID }}}_uid_{{{ GID_OR_NAME }}}"/>
</local_variable>
{{%- endif %}}
</def-group>
|
